Misuse-Resistant Variants of the OMD Authenticated Encryption Mode

We present two variants of OMD which are robust against nonce misuse. Security of OMD—a CAESAR candidate—relies on the assumption that implementations always ensure correct use of nonce (a.k.a. message number); namely that, the nonce never gets repeated. However, in some application environments, this non-repetitiveness requirement on nonce might be compromised or ignored, yielding to full collapse of the security guaranty. We aim to reach maximal possible level of robustness against repeated nonces, as defined by Rogaway and Shrimpton (EUROCRYPT 2006) under the name misuse-resistant AE (MRAE). Our first scheme, called misuse-resistant OMD (MR-OMD), is designed to be substantially similar to OMD while achieving stronger security goals; hence, being able to reuse any existing common code/hardware. Our second scheme, called parallelizable misuse-resistant OMD (PMR-OMD), further deviates from the original OMD design in its encryption process, providing a parallelizable algorithm, in contrast with OMD and MR-OMD which have serial encryption/decryption processes. Both MR-OMD and PMR-OMD are single-key mode of operation. It is known that maximally robust MRAE schemes are necessarily two-pass, a price paid compared to a one-pass scheme such as OMD. Nevertheless, in MR-OMD and PMR-OMD, we combine the two passes in a way that minimizes the incurred additional cost: the overhead incurred by the second pass in our two-pass variants is about 50 % of the encryption time for OMD.

[1]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[2]  Kan Yasuda,et al.  BTM: A Single-Key, Inverse-Cipher-Free Mode for Deterministic Authenticated Encryption , 2009, Selected Areas in Cryptography.

[3]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[4]  Tatsuaki Okamoto,et al.  Advances in Cryptology — ASIACRYPT 2000 , 2000, Lecture Notes in Computer Science.

[5]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[6]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality [including updates through 7/20/2007] , 2004 .

[7]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[8]  Morris J. Dworkin SP 800-38C. Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality , 2004 .

[9]  Mihir Bellare,et al.  The EAX Mode of Operation , 2004, FSE.

[10]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[11]  Stefan Lucks,et al.  McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes , 2012, FSE.

[12]  Andrey Bogdanov,et al.  Parallelizable and Authenticated Online Ciphers , 2013, IACR Cryptol. ePrint Arch..

[13]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[14]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[15]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[16]  Jonathan Katz,et al.  Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation , 2000, FSE.

[17]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[18]  Morris J. Dworkin,et al.  SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC , 2007 .

[19]  Pil Joong Lee,et al.  Advances in Cryptology — ASIACRYPT 2001 , 2001, Lecture Notes in Computer Science.

[20]  John Black,et al.  CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions , 2000, Journal of Cryptology.

[21]  David Naccache,et al.  Offset Merkle-Damgård (OMD) version 2.0 A CAESAR Proposal , 2015 .

[22]  Anne Canteaut,et al.  Progress in Cryptology - INDOCRYPT 2004, 5th International Conference on Cryptology in India, Chennai, India, December 20-22, 2004, Proceedings , 2004, INDOCRYPT.

[23]  Chanathip Namprempre,et al.  Reconsidering Generic Composition , 2014, IACR Cryptol. ePrint Arch..

[24]  Elisabeth Oswald,et al.  Advances in Cryptology – EUROCRYPT 2014 , 2014, Lecture Notes in Computer Science.

[25]  Carlos Cid,et al.  On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes , 2013, Journal of Cryptology.

[26]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[27]  Kan Yasuda,et al.  HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption , 2009, FSE.

[28]  Phillip Rogaway,et al.  The Software Performance of Authenticated-Encryption Modes , 2011, FSE.

[29]  Markku-Juhani O. Saarinen Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes , 2012, FSE.

[30]  Morris J. Dworkin,et al.  SP 800-38B. Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication , 2005 .

[31]  Marcin Wójcik,et al.  Does My Device Leak Information? An a priori Statistical Power Analysis of Leakage Detection Tests , 2013, ASIACRYPT.

[32]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[33]  Khawaja Amer Hayat,et al.  Password Interception in a SSL/TLS Channel , 2004 .

[34]  Stefan Lucks,et al.  McOE: A Foolproof On-Line Authenticated Encryption Scheme , 2011, IACR Cryptol. ePrint Arch..

[35]  Carlos Cid,et al.  On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes , 2013, FSE.

[36]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.